Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers

I hear you. I am surely not going to use their "free" protection either. Ugh, guess I need to look into Lifelock or IDShield.

 

Apache Software Foundation Statement on The Equifax Breach

https://globenewswire.com/news-rele...ues-Statement-on-Equifax-Security-Breach.html

 

Not sure if this means anything, but trustedidpremier was just registered---.Domain Information

 

https://www.reddit.com/r/CringeAnarchy/comments/6ywn7r/chief_security_officer_at_equifax/

The chief security office at Equifax has her main academic degrees in music composition. WTF is Equifax thinking? This is a crime that they intentionally hired this incompetent CSO ***** who knows nothing about cyber security. This is a crime because Equifax treats customers' most private info as "free for grab". I am ******* mad at these stupid and greedy Equifax morons.

 

When bad things happen we go back and try to identify the source of the problem. In this case several things have contributed to this disaster...
- the unlawful collection, storing and use of SSN and SIN by a private company
- the collection, storing and use of private financial data by a corporation without an individual's consent
- negligence when securing sensitive data
- executives delaying informing the public and law enforcement of the breach for their own purposes (greed and abuse of power)
- government representatives and regulators reactive rather than proactive
- law makers overly influenced by corporate donors
- laws associated with the collection, storing and use of consumer data by corporations are sorely inadequate
- victims are expected to deal with the costs and fallout of the criminal activity that ensues from security breaches
- class action suits make lawyers rich and do not reimburse the victims either financially or emotionally

The company believes that the cause of the breach comes down to an unpatched security vulnerability in the Java web development software they use. It is more than obvious that even if the vulnerability is addressed, the above list of problems (the short version) is what made this situation so horrendous. These vulnerabilities have to be addressed too.

Unfortunately companies will continue to use our personal data They believe they are entitled to it and so apparently do our lawmakers.

 

OK, so

Everyone is saying a good way to get some limited protection post-breach is to put a freeze on your credit reports. When you do that you will need a PIN to unfreeze the report in the event you apply for credit or need your identity validated so that your credit report can be checked.

If you want to freeze your Equifax credit report you don't get to make your unfreeze PIN -- Equifax assigns you a PIN AND, drumb roll please,:

"... Equifax PINs aren’t chosen at random, they are simply the date and time at which you performed your freeze..."

https://nakedsecurity.sophos.com/2017/09/10/equifax-woeful-pins-put-frozen-credit-files-at-risk/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+nakedsecurity+(Naked+Security+-+Sophos)

Bravo!! Not.

 

So for those of us here that were effected but this, what are you all doing? Getting Lifelock or something similar?

 

LifeLock Reviews:

https://www.consumeraffairs.com/privacy/lifelock.html

Looks like peeps either love it (5 stars) or hate it (1 star).

One thing seems clear. Only choose LifeLock if you are sure cuz it appears it can be very difficult to cancel.

The company has a sordid past:

"..In 2015, the FTC found LifeLock to be in contempt of the 2010 agreement, charging that they 'failed to establish and maintain a comprehensive information security program', and 'falsely advertised that it protected consumers' sensitive data'. The FTC obtained a $100 million monetary penalty against LifeLock to settle the contempt charge..."

https://en.wikipedia.org/wiki/LifeLock

 

Well, looks like Lifelock is a no go lol.

 

Yeah

 

Gotta love the News Media suggestions! There is an article on Forbes today that suggest folks affected use annualcreditreport to monitor there status.

Guess who runs annual credit report? Yes indeed, our friends Equifax.
And guess what happened in 2013? Yes indeed, it was hacked. The following is a blurb regarding that one:

"The Equifax credit bureau confirmed Tuesday (March 2013) that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.

The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually"

 

Wow, just plain disgusting!

 

More on Equifax and Apache STRUTS including this nugget:

"Apache Struts Flaw Reportedly Exploited in Equifax Hack...

If Apache Struts was in fact targeted in the Equifax attack, a more likely explanation is that the cybercriminals leveraged CVE-2017-5638, a vulnerability exploited in the wild since March. Attacks started just a few days after the release of a patch, and the flaw has been used in several campaigns..."

http://www.securityweek.com/apache-...gn=Feed: Securityweek (SecurityWeek RSS Feed)

 

http://m.static.newsvine.com/servista/imagesizer?file=bob-sullivan2988E514-2BF4-4B31-AA4A-C66AF2320361.jpg&width=660
For those who may have been breached and are concerned- the way things work on the DarkWeb is like this- the credentials for sale are listed by both the State you live in and your credit score. The higher the credit score the more the price to purchase this information.

For instance- 700-750- $75USD
751-799 $80USD
>799 $90USD

(This is the pricelist from a commonly used website that obviously I will not link to.)

Note that there is no offering for the sub 700 credit score folks. So if your credit score sucks and you were breached, you are probably Golden.

 

"Equifax moves to fix weak PINs for “security freeze” on consumer credit reports...

In response to an inquiry from Ars, an Equifax spokesperson said:

'...We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours...'..."

https://arstechnica.com/information...r-security-freeze-on-consumer-credit-reports/

 

I never got any such notification.

 

Patience @boredog.

You must #1,295,000 on the list or something.

NB: That quote came from an initial news story about the breach. I have read a lot about the breach and Equifax's response to it and while notification by mail should be done, that is the only place I have seen any mention of notification by mail.

 

Checked my credit report many years ago because I wondered why I could not get a lone and found a 4000 debt from an account I never had. Calling the credit bureau didn't do any good. I said to them if I had an unpaid debt for 5 years, don't you think someone would have taken me to court. Anyway it took me almost a year to get that sucker off my record. I ended up getting the bank that the alleged debt was with to write a letter to the credit bureau to get it removed.

 

You are not alone @boredog.

In a post in this thread I talked about how a number of years ago Experian had someone else's social security number listed as mine, and:

"How the careless errors of credit reporting agencies are ruining people’s lives

Their files are full of obvious mistakes that the companies are in no rush to correct...

The Federal Trade Commission’s last large-scale study of credit reports, published in 2012, found that 26 percent of the consumers it examined had at least one mistake in their files. And 5 percent had errors that could be devastating,potentially denying lines of credit to them and making things like auto insurance prohibitively expensive. 'To have that error level, it’s akin to 5 percent of automobiles spontaneously accelerating and having an accident, or 5 percent of planes falling from the sky,'...'We wouldn’t accept that error rate in other areas.' ..."

https://www.washingtonpost.com/post...reporting-agencies-are-ruining-peoples-lives/

More than 12% had an error serious enough to change their credit scores:

http://www.creditcards.com/credit-card-news/ftc-credit-report-mistakes-1270.php

 

Here is a list of who may request a copy of your credit report (legally) ...

https://www.consumerfinance.gov/ask-cfpb/who-may-request-my-credit-report-en-1305/

When a consumer requests a copy of their credit report, it arrives by snail mail. I could not find out how those who are 'authorized' receive a copy - anybody know?

If by snail mail, are they obligated to shred it afterwards or do they file it with your paper records? if it is sent online, say email is it encrypted? If it is an info screen provided by the credit reporting company, can the info be printed, saved? What security protects this communication? I could not find answers.

 

Looks like you can get your credit report online for free every 30 days.(Not sure if it's the same credit report that creditors get to see.)

http://www.experian.com/consumer-products/free-credit-report.html

 

@hawki. Tnx, I checked it out. It does arrive online and you can save it and print it out. And there is an IPhone and Android app too. I hope creditors, potential employers, landlords etc etc. can not get it the same way.

 

YW @emmjay

Creditors, potential employers, landlords etc., are Equifax's profit-making customers. Whatever we as Equifax's product can get, rest assured that the customers can get it better/faster.

 

"Equifax's credit-monitoring site also reportedly hackable...

A site Equifax set up to help worried consumers create alerts and freeze accounts after the credit-monitoring firm revealed a massive data breach is also vulnerable to hack, ZDNet reported Monday....

A cross-site scripting vulnerability could allow hackers to spoof the site via a malicious link and then siphon off any personal information visitors submit, the CNET sister site reported. Hackers could insert the malicious code in Equifax's web address, tricking the browser into treating the site as secure and displaying the "lock" icon in the browser window, ZDNet reported...

Equifax didn't immediately respond to a request for comment."

https://www.cnet.com/news/equifaxs-credit-monitoring-site-also-reportedly-hackable/

The full, more detailed ZDNet report is here:

NB: ZDNet deploys browser canvas fingerprinting.

http://www.zdnet.com/article/equifa...s-also-vulnerable-to-hacking/#ftag=RSSbaffb68

 

Take the first step with a FREE Dark Web Email Scan